Since I began my bug hunting journey, I have seen the same question many times: "How do I start in Bug Bounty/Ethical hacking/Penetration testing?" I can't suggest my own path to a beginner because I started over five years ago and faced many different circumstances. Finding a clear answer has been a struggle (and a challenge). But I created a goal to find a clear way for beginners.

None
Bug Hunting roadmap (For illustration only)

I faced many problems including:

  • Instructors (Arabic ones) are either too technical for beginners or lack real expertise.
  • There is a wide range of tools and techniques that confuse learners (even expert ones).
  • This is the worst obstacle. The community is full of conflicting and incorrect opinions, creating what feels like a "bad advice cancer." which makes it hard to know who to trust.

I thought about making my own course, but I still need more experience before I start sharing knowledge that way. However, after a long search, I finally found a clear answer!

None
Celebrating

The book "Bug Bounty Playbook" by Alex Thomas is a fantastic resource to start your career. It transforms complex techniques into structured paths. It also provides valuable information that I believe every beginner needs.

None
Book cover

The book begins with an introduction to bug hunting and the general career track. Its introduction covers:

  • Essential Vocabulary: The terms you need to know to continue in the track.
  • The Right Setup: How to create a good setup so you can practice in a productive environment.
  • Community Resources: A list of social media accounts and resources to follow. This is important as you need to engage with the community to keep learning.

Next, the book addresses a famous problem which is choosing a target. The book solves this by providing specific criteria to follow when picking your target.

My favorite part

After a solid introduction, the book moves into technical topics starting from Chapter 5. This is my favorite section. It covers practical information that many hunters ignore, which provides you with clear steps while hunting. Having a personal methodology gives you a great advantage over others (some hunters just try random things). The book also introduces different workflows in a beginner-friendly way, which is perfect for beginners.

What you will learn

The later chapters dive into specific workflows. While they are light dives, they provide a great foundation. By the end of this book, you will learn:

  • How to discover assets (assets = websites) related to your target
  • How to perform basic attacks on those assets
  • Some tools used in specific scenarios

You will still need to put in effort to adapt these learnings to your own style, but the book successfully guides you from starting a hunt to finding a vulnerability.

Notice that this book isn't magic. It won't take you from zero to hero, it can take you from zero to one. You must be patient and one day you will find yourself exploding. You will be writing your own tools, giving a talk in an event or even publishing your own books. The key is in your patience

My final rating

I rate this book at a Beginner Level. It introduces topics without overwhelming you with deep dives. I 100% recommend this book for beginners. It is the best starting point I have seen in my career. If you are looking for a deep dive into bug hunting, this book may be too basic for you, though it still adds value to your general knowledge.

There is a second version of this book that shows more attacks. You can find my review of that version in my next post.